1. Field of the Invention
This invention pertains in general to computer security and in particular to secure data transfer using quick response (QR) and other forms of codes.
2. Description of the Related Art
Users of modern electronic devices face a wide variety of threats. For example, innocent-looking websites can surreptitiously phish confidential information from users. The websites and other sources can also provide malicious software (malware) such as computer viruses, worms, Trojan horse programs, spyware, adware, and crimeware. The malware can surreptitiously capture important information such as logins, passwords, bank account identifiers, and credit card numbers. Similarly, malware can provide hidden interfaces that allow the attacker to access and control the compromised device, or that charge hidden fees to the user of the device.
Transferring information (e.g., a universal resource locator (URL) to a website) across multiple devices (e.g., from a personal computer to a mobile phone) amplifies the potential threats because the information can be intercepted and subverted before it reaches a receiving device. In order to help users secure the information transfer, various information encoding techniques, such as quick response (QR) codes and other types of bar codes, are used to encode and/or encrypt the information to be transferred. For example, QR codes can be used to encode URLs, telephone numbers, email addresses and contact information being transferred to a device. The receiving device (e.g., the mobile phone) accesses the information contained in the QR codes with a QR code reader application running at the receiving device. Using the decoded information, a user of the device can, e.g., connect to a web page or call a phone number referenced in the information.
Existing data transfer schemes using QR codes rely on the assumption that the data to be transferred are legitimate (e.g., not compromised by malware or otherwise malicious). However, the data to be transferred can pose security risks to a receiving device. For example, a website referenced by a URL sent to the device via a QR code can distribute malicious software and/or have a bad reputation for exposing confidential information. Similarly, a phone number sent to the device can result in hidden charges to the user of the device, even if the phone number is embedded within contact information for a legitimate entity. As a result, a user of the receiving device can be misled into interacting with data that expose the user to malicious activity.